Commentary on Halliburton breach
August 2024 by Jim Doggett- CISO, Semperis
After the Halliburton breach, please find some commentary below from Jim Doggett- CISO, Semperis.
While this is purely speculation as only Halliburton officials and their security team knows what is causing disruptions due to the cyberattack, it wouldn’t surprise me to learn that ransomware is the culprit. Kudos to Halliburton for activating their recovery plan that was in place to deal with these types of incidents. Let’s face it, every organisation needs to adopt a constant breach mindset if they don’t already have one because cyberattacks are increasing in frequency and it isn’t a matter of if, but when an attack will occur. In addition, having a robust backup and recovery plan improves the operational resiliency of organisations and will limit disruptions. In many cases, when activating its backup and recovery plan, organisations can isolate fewer systems, limiting business disruptions.
The one constant that does exist in cyberattacks is the criminal intent of the threat actors. They are coldblooded and typically motivated by financial gain. Unfortunately, as is the case in approximately 90 percent of cyberattacks, identity system compromise occurs, most often Active Directory or Entra ID, which stores the crown jewels of a business by managing all permissions to a company’s data.
Can organisations prevent breaches like this one from happening in the future? The answer is yes, and it does start with having an assumed breach mindset, because let’s face it, breaches will occur, and no public or private organisation is immune or entirely secure.
Today, it is essential to build operational resiliency into your business plans so when threat actors strike, you can limit disruptions and keep systems running. There’s no silver bullet that will solve the cybersecurity challenges facing organisations. First, identify the critical services that are “single points of failure” for the business. If critical services go down, then Halliburton or other organisations could be taken offline. Have a plan for “what to do if. That includes a robust backup recovery and response program to ensure that if they were also victimised and data is encrypted, they can access their backup data.